Wednesday, August 29, 2007

Keeping track of the number of spy programs administered by federal law enforcement and the executive branch can get confusing. But with the curtailment of TALON database on antiwar activists and the suspension of the ADVISE system (which sifted through private personally identifiable information without regard to federal privacy regulation), is the Pentagon shifting its priorities? Don't count on it:

The ACLU contends that the Pentagon's stated reason for the program's closure is irrelevant. "People are cautiously optimistic [that] the tide is turning," says Jameel Jaffer, director of the ACLU's National Security Project. "But you have to see that TALON program in the context of the many other surveillance programs that have been introduced over the last five years. We're in a bizarre situation where, for the first time, the government is demanding more and more information about individuals and at the same time making it more difficult for them to get the information that they need in order to evaluate the government and whether it's acting within the law."

And how do members of the public react to all this unsought attention? In most cases, they either take it for granted or feel reassured. To a considerable extent, whether through willing acquiescence or willful innocence, people seem surprisingly ready to accept what would have been seen, not so long ago, as alarming invasions of privacy. Indeed, in an age that empowers anyone with a cell phone camera and an Internet connection, we're all free to participate in this surge of information gathering and revelation. All of us can be spied on and engage in some high-visibility spying of our own.

A number of privacy experts believe that the real concerns lie less in the public sphere than they do in the largely unregulated environs of commerce.

"It's a simple fact that private companies can collect information about people in ways the government can't," Robert O'Harrow Jr. wrote in his 2005 book "No Place to Hide." "At the same time, they can't be held accountable for their behavior or their mistakes the way government agencies can."

How do people reclaim their privacy?

What's strikingly distinct about privacy in the digital age is not only the thoroughness with which it can be penetrated, but the ease of sharing that information widely. In an odd but somehow perversely logical reaction, self-revelatory tools like YouTube and MySpace have flourished. It's as if people were seizing control of their own privacy and serving it up to the public before anyone can seize it away from them. Gandy labels the trend "counter-exhibitionism, since there's no privacy left."

Friday, August 24, 2007

Author Naomi Klein explains how the videoing of protesters at the Security and Prosperity Partnership (SPP) summit has dire implications for democracy hamstrung by "the security state as infotainment":

If videotaping activists meets the legal requirement that dissenting citizens have the right to be seen and heard, what else might fit the bill? How about all the other security cameras that patrolled the summit--the ones filming demonstrators as they got on and off buses and peacefully walked down the street? What about the cellphone calls that were intercepted, the meetings that were infiltrated, the e-mails that were read? According to the new rules set out in Montebello, all of these actions may soon be recast not as infringements on civil liberties but the opposite: proof of our leaders' commitment to direct, unmediated consultation.In the run-up to the SPP summit, a spate of surveillance scandals helped paint a fuller picture. First, Congress not only failed to curtail the National Security Agency's warrantless wiretapping but opened the door to snooping into bank records, phone call patterns and even physical searches--all without any onus to prove the subject is a threat. Next, the Boston Globe reported on plans to link thousands of CCTV cameras on streets, subways, apartment buildings and businesses into networks capable of tracking suspects in real time. And on August 15, confirmation came that the National Geospatial-Intelligence Agency--the arm of the US military that runs spy planes and satellites over enemy territory--would be fully integrated into the infrastructure of domestic intelligence gathering and local policing, becoming what the agency calls the "eyes" to the NSA's "ears."

Wednesday, August 22, 2007

Now that the budget has been passed, Sen. Joe Simitian's SB 28, 29, and 362 are scheduled for their Assembly Third Reading on Monday, August 27th. 28 and 29 address issues surrounding the use of RFID in government-issued documents, and 362 bans forced subcutaneous human implanting of RFID. Sen. Ellen Corbett's SB 388 (also scheduled for a third reading Monday) would require companies to inform customers of tags embedded in credit cards, or other products.

Consumers should always be skeptical of “the sky is falling” claims from industry or government - particularly when their profits and power stand to expand. The solutions authored by Senator’s Simitian and Corbett are reasonable and restrained approaches that balance the beneficial uses of the technology with the need for common sense privacy protections.

The Threat and Local Observation Notice (Talon) database had become a lightning rod for criticism of military intelligence agencies’ monitoring of antiwar protestors. The decision to shut it down resonated with parallel litigation and debate about the legality of federal monitoring of international telecommunications.

...“It was high time for this [Talon] program to be shut down,” said Anthony Romero, executive director of the ACLU, in a press statement. “There should have been no place in a free, democratic society for the military to be accumulating secret data on peaceful demonstrators exercising their First Amendment rights.”

Tuesday, August 21, 2007

President Bush and Attorney General Alberto Gonzales have expanded [the "state secrets" privilege] to throw out a lawsuit (PDF) saying that AT&T illegally opened its network to the National Security Agency. Their arguments rest on the principle that even if the president is breaking the law, he can get away with it as long as he invokes national security. Courts would be demoted to a clerical role of noting that the "state secrets" privilege has been invoked and dismissing the case post-haste.

Thursday, August 16, 2007

A group of reporters and their family members whose private telephone records were secretly obtained as part of Hewlett-Packard Co.'s boardroom surveillance scheme sued the technology giant and two former executives Wednesday.

This lawsuit is the latest development in the HP boardroom scandal that erupted last year, sparking public debate and launching a Congressional investigation on the fraudulent gathering of private phone records and personal infromation know as pretexting.

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his other’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

Here again, consumer education is a vital preventative measure. But so is corporate responsibility and stiffer penalties for identity thieves

More and more it seems the onus is being placed on consumers to protect themselves from fraud, with less emphasis on requiring financial institutions and businesses to act as the first line of defense:

So consumers and regulators are increasingly demanding more protection from Internet companies. Last week, the advocacy group Center for Democracy and Technology issued a report that said Internet companies are responding by offering more online security and policies, such as erasing search histories.

Security experts, however, say some of the most important protections aren't found online but in the heads of Internet users. All too often online consumers drop their guard, exposing themselves to fraud, spyware and other malicious attacks.

While vigilance is key, it's not a cureall for the often sophisticated strategies of identity theives. That's where legal safeguards come into play.

Participants who received privacy information were more likely to buy from sites offering medium or high levels of privacy. Those who did not see privacy information generally made purchases from the lowest-priced vendor. The suggestion is that people will pay a premium for privacy when privacy information is more accessible. Perhaps surprisingly, the effect was pretty much the same for the non-privacy sensitive purchase as for the privacy sensitive purchase.

In the real world, merchants with good and prominently displayed privacy policies compete against others who either do not have good privacy policies or do not promote their policies. Ordinarily, consumers have little control over the privacy practices of those collecting information, but consumers do control who they do business with. The study does not offer direct conclusions about how consumers react in an environment that includes good, bad and no privacy information.

As much as I would like to say that it is good for business to have and display a pro-consumer privacy policy, I don’t think that conclusion necessarily follows directly from the study, although the study supports the notion. Still, the prospect of higher prices for products sold in a pro-privacy online environment should be intriguing enough to attract the attention of any company selling on the Internet. Better consumer privacy protection and higher prices could be a stunning combination. Maybe it’s time to stop fighting privacy and raise your prices.

Safeguarding consumers' private personal information is, however, fairly low cost--perhaps paying a premium wouldn't even be necessary. Protecting privacy is good for consumers and good for business. If only it were practiced voluntarily.

Like most victims of ID theft, I couldn't get anyone in law enforcement interested in my case. Only about 1% of cases reportedly result in convictions. So I went after Davis myself.

Long story short, I compiled an extensive file of Davis' doings and whereabouts and then shared the info with a sympathetic investigator working for the U.S. Postal Service. This resulted in Davis' arrest and eventual conviction in 2003 for Social Security fraud.

Because he was in the country illegally, Davis was subsequently deported to his native Jamaica, where, in my more resentful moments, I imagine him kicking it on the beach and smirking about not having to serve a single day in prison for leaving my credit record in tatters.

And that, I hoped, was the end of it. But no. Last week, I was informed that my efforts to buy a home here in Los Angeles were on the verge of collapsing because the claims against Davis filed by the casinos are still on file somewhere. The mortgage company thus saw me as a bad bet.

...After days of frantic negotiations, all the legwork I did on my ID theft finally convinced the top execs of the mortgage company that maybe I'm not quite the credit risk that Davis' casino trespasses would indicate. The loan was approved.

But how is it that, years after Davis was convicted for stealing my identity, he's still screwing up my life? Foley, of the Identity Theft Resource Center, said this wasn't unusual."You think you get everything solved," she said, "and then it's like a ghost that reappears."

This isn't about "demonizing" a technology. It's about using it judiciously. The microchip in your arm -- unlike the toll transmitter on your windshield or the credit card in your wallet -- can't be put away in a vault or tossed out easily. It's there, radiating your identity and perhaps much more, for 10-15 years unless you have it removed at great pain and expense -- assuming your government or employer allows you to do so.

Undocumented people will have less motivation to use others' social security numbers if government, financial institutions, and other entities will accept tax identification numbers to identify people (so long as tax identification numbers are freely and unconditionally made available to all by the Internal Revenue Service) for paying taxes, opening bank accounts, obtaining credit, obtaining drivers' licenses, and earning payroll funds, rather than using social security numbers for identity. Unfortunately, every year, social security numbers have been used more often as de facto national identification cards.

Consequently, people sometimes come to us having been criminally charged with using false social security numbers and with related problems. Unfortunately, a conviction for using a false social security number or for purloining others' identity can lead to negative consequences with the immigration authorities.

Changing the way social security numbers are used would seem to be a positive move not only because it raises the possibility of incorporating undocumented workers into the economic system through a degree of legal recognition, but for reducing instances of identity theft and guarding the confidentiality of social security numbers and privacy in general.

The top five U.S. search engines have all recently modified their data retention policies to be more user friendly, due to lawsuits over disclosures, pressure from government regulators and a desire to be perceived by net searchers as less evil than the others, the Center for Democracy and Technology's Deputy Director Ari Schwartz told THREAT LEVEL today regarding the group's release of a report on the changes.

No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors. With consumers sharing more data than ever before online, the time has come to harmonize our nation's privacy laws into a simple, flexible framework.

Wired notes that "CDT distinguishes itself from most privacy groups by working closely with tech companies and with legislators," drawing criticism from fellow advocates at the Center for Digital Democracy. Executive Director Jeffrey Chester called for full disclosure on corporate ties and said the report gave competition undue credit for privacy improvements, failing to sufficiently emphasize the impact of advocates' policy-related pressure. This critique aside, CDD and CDT essentially agree that consumer privacy is not an issue to be determined by market forces alone:

...It is necessary to recognize just how much slack the online advertising and marketing industry has been given with our personal information. The main point is that consumers are at risk; updated federal consumer protection policies are essential to an environment that increasingly uses personal data as its commodity.

Tuesday, August 7, 2007

Recent developments suggest that deployment of the controversial Real ID national identification program still faces significant obstacles related to its $11 billion cost and its privacy and security risks.

...Congress included no mandatory protections for privacy in the Real ID Act, said Leslie Harris, executive director of the Center for Democracy and Technology, a nonprofit advocacy group. As currently conceived, the system does not respect basic privacy principles because it collects too much data, is susceptible to mission creep and has too much centralized information, she said.

“The Real ID Act fails every single privacy principle,” Harris said. “I support hardening driver’s licenses, but we have to do it right. Privacy cannot be an add-on after the fact.”

"We're certainly not the rabble-rousers out there trying to lead a rebellion," said Denise Blair, the assistant deputy director of the California Department of Motor Vehicles, referring to Maine's efforts.

Blair, who favors the Real ID Act, did say, however, that it will cause some administrative headaches for California when more than 3 million more people a year are visiting local motor vehicle offices.

Privacy risks might be heightened in Washington because the card design includes an RFID tag to conform with other border-crossing cards such as DHS’ anticipated People Access Security Service card. The PASS card will use a Generation 2 RFID tag that can be read at 20 feet. The PASS card and the hybridID card in Washington are among the first human-identification programs in the world to use such long-distance RFID technology.

The technology is controversial because it was created for warehouse tracking of goods for sale. This type of RFID tag contains no encryption and can be scanned easily by readers at long distances, thus raising privacy and human-tracking concerns.

"It is a visual reminder of how our private spaces are really shrinking," said Pam Dixon, executive director of the World Privacy Forum, a San Diego advocacy group. "We've never had the expectation of privacy in public places, but it's the technology that causes us to reexamine this. Computers have very long memories."

...

"They should build in privacy protection mechanisms as a matter of course," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "I don't see them proactively addressing the privacy implications of their various products, and they need to."

If Google doesn't have the tools now, advocates say, it could in short order, because software companies are working on far more complex technology for recognizing specific faces.

"The Street View issue is part of a broad trend where more and more information is taken from the public," [Kevin Bankston of the Electronic Frontier Foundation] said. "We expect some degree of anonymity in our lives. How does one maintain a free society when all of your activity is scrutinized?"

Some privacy advocates also suggested that Google post notices saying which streets or neighborhoods it planned to target on a given day so that people averse to being photographed could steer clear.

Some interesting insights from readers of the tech savvy blog BoingBoing:

Marcus says,

Google is socialising the cost of privacy protection by choosing an opt-out approach rather than opt-in or an expensive internal review of the collected data. On the other hand, it is privatizing the public data and any profit derived from that. It is thus no less evil than other corporations, and considerably more evil than the NSA or CIA, who at least in principle can be held accountable as public institutions.

Ripley says,

All the discussion on what our privacy rights are in law is interesting, but people should recognize that what's going on here is beyond law, and reveals gaping holes in law.

Folks seem to grasp that pretty readily when it's copyright law, but it's just as true for privacy.

In the same way that law doesn't adequately capture what's important about the AACS code, law doesn't really help us understand what's problematic about google allowing us to watch each other remotely.

Law here has been partly shaped by what was physically possible - we didn't need to have laws about being watched and recorded remotely by people we can't see who may be doing it for fun or profit…or for the government.

…So falling back on what our "rights" are under law is just not going to get us very far.

Also, it's important to ask ask "what if the CIA were doing it" especially because there is nothing stopping them from using the service now, and of course they will. So might health insurance agencies, your boss, stalkers you know, stalkers you don't know, parents of people you are dating, etc etc etc. Alongside all the people/groups who might be unsympathetic to you and take images of you out of context for their own purposes, we should also be concerned about the lack of belief that we have any rights not specifically defined by law.

Monday, August 6, 2007

When we talk of privacy in the Internet age, we mostly speak of financial information and the mounds of data that search engines keep on our e-behavior. But more and more, digital media and the relative anonymity of the Web enable netizens to expose, call out and shame others in cyberspace.

...It's not so much a centralized authority we fear but our fellow citizens, who now have the capacity to grab little pieces of our lives, pass judgment on them and project them across the globe.

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.